FAQ

How do I contact the Emirates Identity Authority to start testing the Validation Gateway?

You can obtain more information by calling 6005 30003 (Call center), by visiting our website http://vg.emiratesid.ae and filling out the form under “contact us,” or you can send an email to vgadmin@emiratesid.ae stating your needs and intended usages and the Emirates Identity Authority will then contact you.

How can our organization test the solution to determine if it can be used for our purposes?

The Emirates Identity Authority can offer a test phase using the QA system. The Authority will give technical and organizational assistance with card readers and test cards during the trial period.

What is a Service Provider (SP)?

A service provider is an entity that uses the services from the Validation Gateway to enable online digital services based on the Emirates ID cards. A service provider in turn can offer these services to other individuals or entities. ADSIC is an example of service provider for the Abu Dhabi government.

How can our organization become a Service Provider?

The Emirates Identity Authority provides a structured approach for on-boarding service providers who are poised to use its services. For more information, please contact: vgadmin@emiratesid.ae.

What is a digital signature and what is the difference from the visible signature on the card?

A digital signature is the given standard to securely sign a digital document with a unique signature and at the same time seal the document so that no changes can be done after the signature has been carried out. The process of performing a digital signature creates a unique fingerprint (signature) out from the document. This "signature,” or coded message, is unique to both the document and the signer and binds both of them together. Any change of the original document will invalidate the signature, as the unique fingerprint will differ. As opposed to a written signature or a signature image the digital signature cannot be copied or forged.

The visible signature on the card can be seen as a copy, or an image, of the physical signature. This electronic copy of your handwritten signature can be copied into an electronic document. This is considered unsecure as the image can easily be copied and used by anyone. There is also no way to verify if the content of the document has been altered after the signature was added. Visible signature is often used in the wrong context being mistaken for a digital signature.

Do I need a card reader?

Yes, a card reader is needed to access the data on the card. When using functions requiring biometrics (i.e. to read the fingerprint) a specific reader must be used.

What card readers are supported?

Any PC/SC compliant reader is supported for reading card data and performing digital signatures. When using biometric (fingerprint) a card reader with biometric sensor is required.

How secure is my card info while transmitting to the Validation Gateway?

Refer to the documents Fields Stored in UAE ID Card V1 and Fields Stored in UAE ID Card V2 available in under the document tab

How secure is my card info while transmitting to EIDA VG?

All communication between the web Applet/ActiveX and the Gateway's backend will be over SSL.

What should I do if I forget my PIN?

You can set a new pin using the “Reset PIN” option. Note that you must have a card reader with fingerprint capability as the process prompts you to present your fingerprint as a security to ensure that you are the cardholder.

If my card has expired, is there a grace period during which I still can authenticate using the card?

No, the Validation Gateway will check if the card is valid. If it has expired, the service will be blocked for security reasons.

Can I verify the PIN without the presence of the card?

No, the PIN is only located on the card and will grant only the cardholder access to the card. This ensures that only the cardholder can make use of the card. The Validation Gateway does not know the individual PIN.

Can the services be carried out offline?

All services provided by the Emirates Identity Authority are online services. For offline use, customers can use the SDK to develop their own services. Note that all services regarding biometrics can only be used online for legal reasons.

Will there be more functionality offered by Emirates Identity Authority in the future?

The Emirates Identity Authority is constantly working to enhance the usage of the Emirates ID card in the online environment. Many functionality and improvement projects are currently in planning.

Which IT components does a service provider need if it wants to integrate the online ID function into its service?

The service provider exchanges data with Emirates ID using web service communication. In addition to an interface description, the service provider also receives an example of implementation.

Which preconditions must a company or an agency (service provider) fulfill in order to be authorized to use the online ID function in its service?

Applications for authorization must be submitted to the Issuing Office for Authorization Certificates, which then issues the letter of authorization.

Which services do e-ID service providers perform for government agencies and private companies that accept the new Emirates ID card as an online authentication document?

The service provider reads the data that has been released from the ID card. This release is dependent on the regulations of the Issuing Office for Authorization Certificates, the requirements of the service provider and, of course, on the holder of the ID card who must authorize each data transmission with his or her PIN.

How much does this cost the service provider?

Connecting an e-ID service is currently free.

What happens when data fraud is suspected?

Data misuse is when the service provider uses its authorization certificate for transactions that it did not name when applying for authorization, or when the service provider passes customer data on to third parties. The Issuing Office for Authorization Certificates can revoke authorization if data misuse is suspected. The technical authorization certificates of the CSP are only valid for two days and would not be renewed in such a case.

What happens if the user refuses to release the data categories requested by the service provider?

In this case, the data is neither read nor transmitted because the holder of the new ID card must consent to the transmission and confirm this with his or her PIN. The service provider is generally authorized by the Issuing Office for Authorization Certificates to request certain data. If the ID card holder does not wish to transmit this data in full, the service provider decides whether or not to continue with the transaction.

How can service providers find a suitable e-ID Service provider?

The e-ID Service providers currently available in UAE can be found at www.emiratesid.ae.

The service provider’s application must include various documents and information, such as proof of the extent to which the service provider wishes to read out data for the purpose of his service. The letter of authorization issued is valid for a maximum period of three years.

What exactly is identity theft?

Though specialist literature has various definitions for the term identity theft, it usually means, “Gaining unauthorized possession of an identity.” A perpetrator gains possession of another person’s identity (i.e. certain data through which the victim can be clearly linked to a certain context). For instance, an identity thief will combine the victim’s name and credit card data, their name and address, or even their name and date of birth. This theft is often followed by fraud in order to obtain a financial gain or to ruin the victim’s reputation.

Around one third of all identity theft still takes place today in the real, physical world where thieves use the data of a stolen ID card, for instance, to place orders for themselves. In two thirds of cases, however, the data used by identity thieves for criminal attacks is obtained on the Internet. This situation is often made easy when people freely disclose personal information and other data.

The police estimate that victims of online identity theft need to invest an average of around 400 working hours in order to eliminate the damage caused and to prevent further misuse.

What are the advantages of integrating the online ID function (and the connection to an e-ID service) compared to using a password and PIN for online services?

The online ID function offers enormous benefits for both customers and service providers:

The customer only has to remember one password; this makes the online service much more convenient

Lower costs for resetting passwords and the related posting of password letters

Phishing and Trojan attacks are more difficult; this means greater security for the customer portal operator

The service provider’s customer data is also better protected

The service provider automatically fulfills the Commission’s requirements regarding youth media protection by state institutes

Compliance with the requirements of the Money Laundering Act

Can service providers test the e-ID Service before using it?

Yes, this is possible during various phases of the project. If a service provider is interested in connecting to an e-ID Service, Emirates ID recommends that the service first be used in a test environment.

In this case, the data exchange channel between the service provider and Emirates Identity Authority has already been mapped. Predefined messages and error codes are sent so that the service provider can fully prepare before going live. The following scenarios can be tested: The ID card holder enters the wrong PIN or fails to release the data. ID cards are not used in the test environment. This takes place during a test in the “reference environment.” A test run in the reference environment corresponds almost fully to real implementation and is recommended for demonstrating the e-ID service within the company. It is generally possible to go live with the e-ID service once the trial in the test environment has been completed.

How can data protection and data security be guaranteed when the online ID function is used?

The technical security level of the entire system that protects the data of the new Emirates ID card against unauthorized access is very high. The chip also meets with the highest security standards. Just like with other applications, such as e-Banking or Internet shopping, the precise level of security depends on the user’s computer environment. The Emirates ID card protects against identity theft and, with its security protocols and mechanism, it prevents unauthorized parties from reading, copying, or manipulating information.

Before data is transmitted, the ID card checks whether the requesting service or the requesting agency is authorized to request the information. Unnoticed data reading is not possible. Furthermore, all information and transmissions are protected by internationally recognized and established technical means (encryption and signature).

The user's personal information is also safe on the Internet; only the person in possession of the ID card and the four-digit PIN can release the information for transmission. Data can only be exchanged between the cardholder and the service provider.